Planning is paramount in the performance of a risk-based audit and the most relevant ISAs for such purpose, namely:
ISA 300 ‘Planning an Audit of Financial Statements’,
ISA 315 ‘Identifying and assessing the risks of material misstatement through understanding the entity and the environment’, and
ISA 330 ‘The auditor’s responses to assessed risks’,
have not been materially changed so that an auditor already adopting an effective approach under the current ISAs should not be required to make relevant changes to his methodology and practice.
ISA 315 in particular requires the auditor to identify risks throughout the process of obtaining an understanding of the entity and its environment and to assess the potential impact of such risks on the accounts as a whole and on specific assertions.
It is important to point out that the risk identification process should start from developing knowledge of the nature, characteristics and dynamics of the entity and of the environment in which it operates and then move to the assessment of the potential effect in terms of misstatement that such risks could have on the financial statements, rather than following the contrary route of starting to assess risk by reading the financial statements, which could result in missing relevant and pervasive risks relating to industry or entity specific circumstances.
To achieve the objective above the auditor should obtain, among other things, an understanding of the following:
a) The factors at play in the industry sector in which the entity operates, like market size, level of competition, supplier and customer relationships;
b) Regulatory factors such as significant laws and regulations, which could be general or industry specific, like environmental requirements specific to an industry, general employment legislation, health and safety regulations and the applicable financial reporting framework;
c) Relevant external factors affecting the entity like the general economic conditions, interest rates and the availability of finance;
d) The nature and history of the entity, including its operations, revenue sources, products, services, markets served, key personnel, locations, ownership structure, business investments underway or planned, key customers, key suppliers and its financing structure;
e) The selection, application and appropriateness of the accounting policies used by the entity and reasons for any changes;
f) Objectives and strategies of the entity and related business risks; and
g) Review of the entity’s financial performance.